"Array of byte" vs "aobscan script" speed

[Solenya]

I have a question on how to speed up a slow aob scan script I have. So the aob I am scanning for is "DF D8 10 00 FF FF FF FF" and it can take about 1.5 mins to find the value when using a script with:

aobscan(Camera, DF D8 10 00 FF FF FF FF)

I have tried to use aobscanmodule but it does not return a match. eg. below:

aobscanmodule(Camera, game.exe, DF D8 10 00 FF FF FF FF)

When I scan for the aob in cheat engine by typing DF D8 10 00 FF FF FF FF as the value and setting the "Value Type" to "Array of byte" the scan is completed in about 5-10 secs with the correct result. How can I change my script to scan faster like Cheat Engine's "Array of byte" scan. Also the memory is non-executable and pointer scanning is out of the picture because it is too time consuming.

[Metanoia]

I need a little more context. You mention a script but you haven't shown it.
Are you sure the shit you're looking for is in game.exe?

[Solenya]

I need a little more context. You mention a script but you haven't shown it.
Are you sure the shit you're looking for is in game.exe?

I don't think the aob I'm scanning for is in game.exe but I thought I would include what I have tried so far. The whole script is just the aobscan.

Code: Select all

[ENABLE]

aobscan(Camera,DF D8 10 00 FF FF FF FF)
registersymbol(Camera)

[DISABLE]
unregistersymbol(Camera)

This scan will take over 1 min whereas if I use Cheat Engine's Array of byte scan it is a lot faster. Is it because of the fast scan option or something similar that isn't available in the aobscan function?

[Metanoia]

If you can do it in Lua and see if that fixes it. Try something like this:
local xxx = createMemScan()
xxx.OnlyOneResult = true
xxx.firstScan(soExactValue, vtByteArray, nil, 'Aob here', nil, start Address here, end Address here, "*W+X*C", fsmNotAligned, 0, true, nil, nil, nil)

print(xxx.Result)
xxx.destroy()
xxx = nil

There are these :
AOBScan(x,x,x,x,...):
scans the currently opened process and returns a StringList object containing all the results. don't forget to free this list when done
Bytevalue of higher than 255 or anything not an integer will be seen as a wildcard
AOBScan(aobstring, OPTIONAL protectionflags, OPTIONAL alignmenttype, OPTIONAL alignmentparam): see above but here you just input one string
AOBScanUnique(aobstring, OPTIONAL protectionflags, OPTIONAL alignmenttype, OPTIONAL alignmentparam)- Integer: scans for the aobstring and returns the first result it finds and nil if nothing is found. Make sure it is unique as it will return the first result found as it will return any random match
AOBScanModuleUnique(modulename, aobstring, OPTIONAL protectionflags, OPTIONAL alignmenttype, OPTIONAL alignmentparam)- Integer : scans for the aobstring in the designated module

But i prefer memscans

If you need it in asm then just check the module name when you scan and go to that address.

Aob scans are super fast because of how they work same with string scans becuase you can just convert the string to bytes so i dont see why it would take a entire minute to scan. Ill test some stuff on diablo(Im assuming this is the game) as well later to see why this would be happing.

[Paul44]

^^ AND: an image of your CE table showing how you've set your aobscan params there !
=> also: experiment with 'mem scan options':
1) select game exe: if no result, you do 2)
2) some other "very_game_specific" dll (eg game.dll)
~> based on the dll you've found: a. use lua code as detailed by #Metanoia b. use aobscanmodule w/ dll reference

[SunBeam]

Considering the introduction, I'd ask for the game name. Seems to me he's either scanning for an aob pointing to data, not executable code -OR- it's executable code and a mono/Unity game where code is compiled when needed, in allocated memory. I've been using panraven's Lua aobScanEx ([Link]) for some time now and it's faster than regular aobscan. You can configure it to scan just in executable memory -or- full memory (it's all based on the page access flags).